home

cheatengine63_downloader-q5nytnvfe.exe

Somoto Ltd.

Somoto uses a monetization platform known as the 'Better Installer' to provide the ability of 3rd party developers to bundle various adware packages through an affiliate pay-per-install program. The application cheatengine63_downloader-q5nytnvfe.exe by Somoto has been detected as adware by 24 anti-malware scanners. The program is a setup application that uses the Somoto BetterInstaller installer. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from www.cheatengine.org and multiple other hosts.
Publisher:
Somoto Ltd.  (signed and verified)

MD5:
f873fb056b3401bd044d64a3a13b005c

SHA-1:
c716ecc824c6ec2d17b5ae961b18cd37f581e774

SHA-256:
e2603ececf446fd6fd1a9391eb629d7a79f2740482c851df82939ecefb8b7c17

Scanner detections:
24 / 68

Status:
Adware

Explanation:
Uses the Somoto 'BetterInstaller' to bundle additional (unwanted) software during install without adequate consent.

Description:
This 'download manager' is also considered bundleware, a utility designed to download software (possibly legitimate or opensource) and bundle it with a number of optional offers including ad-supported utilities, toolbars, shopping comparison tools and browser extensions.

Analysis date:
4/25/2024 8:47:17 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Application.Bundler.Somoto.I
781

AhnLab V3 Security
Win-PUP/Somoto
2014.12.07

Avira AntiVirus
APPL/Somoto.fses
7.11.193.68

avast!
Win32:Somoto-O [PUP]
2014.9-141216

AVG
Downloader
2015.0.3259

Baidu Antivirus
Adware.Win32.Somoto
4.0.3.141216

Bitdefender
Application.Bundler.Somoto.I
1.0.20.1750

Bkav FE
HW32.Packed
1.3.0.6267

Clam AntiVirus
Trojan.Agent-267630
0.98/21511

Dr.Web
Trojan.MulDrop4.11744
9.0.1.0350

ESET NOD32
Win32/Somoto
8.10837

F-Secure
Application.Bundler.Somoto
11.2014-16-12_3

G Data
Application.Bundler.Somoto
14.12.24

IKARUS anti.virus
PUA.Downloader
t3scan.1.8.5.0

Kaspersky
not-a-virus:Downloader.Win32.Agent
14.0.0.2788

McAfee
Artemis!F873FB056B34
5600.6915

MicroWorld eScan
Application.Bundler.Somoto.I
15.0.0.1050

NANO AntiVirus
Trojan.Nsis.Mazel.cwhyud
0.28.6.63850

Panda Antivirus
PUP/MultiToolbar.A
14.12.16.09

Qihoo 360 Security
Win32/Application.5d6
1.0.0.1015

Reason Heuristics
PUP.Somoto.c
14.12.16.9

Sophos
Somoto BetterInstaller
4.98

Trend Micro House Call
TROJ_GEN.R08NH07L514
7.2.350

VIPRE Antivirus
Trojan.Win32.Generic
35486

File size:
700.4 KB (717,176 bytes)

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Somoto BetterInstaller

Digital Signature
Signed by:
Somoto Ltd.

Authority:
Thawte, Inc.

Valid from:
7/2/2014 8:00:00 AM

Valid to:
7/3/2015 7:59:59 AM

Subject:
CN=Somoto Ltd., O=Somoto Ltd., L=Tel Aviv, S=Israel, C=IL

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
6A0C39D0252522A9C448352858ACAACB

File PE Metadata
Compilation timestamp:
12/17/2010 5:14:15 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.56

CTPH (ssdeep):
12288:IF80oLG7BSfqAnccsWmEcDfP/496hKBiMSQVQu+FsRuahErcuexG6TuyYcsEFDpQ:IFdohkcs+czThKRVKu4sRTENexG6FrsB

Entry address:
0x380C

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, 7C, 01, 00, 00, E8, 87, 4D, 00, 00, 83, EC, 0C, 68, 01, 80, 00, 00, E8, 2A, 4A, 00, 00, 6A, 00, E8, 9B, 4D, 00, 00, 6A, 08, A3, 28, F9, 42, 00, E8, B1, 28, 00, 00, 6A, 00, 68, 60, 01, 00, 00, A3, D8, F9, 42, 00, 8D, 85, 90, FE, FF, FF, 50, 6A, 00, 68, 4C, A2, 40, 00, E8, E0, 4C, 00, 00, 83, EC, 0C, 68, 4D, A2, 40, 00, 68, 08, FA, 42, 00, E8, EF, 2A, 00, 00, 83, C4, 18, E8, E6, 49, 00, 00, 52, 52, 50, 68, 00, 80, 43, 00, E8, DA, 2A, 00, 00, 57, 6A, 00, E8, 29, 49, 00, 00, 83...
 
[+]

Entropy:
7.9574  (probably packed)

Code size:
30 KB (30,720 bytes)

The file cheatengine63_downloader-q5nytnvfe.exe has been seen being distributed by the following 2 URLs.

http://www.cheatengine.org/.../CheatEngine63_downloader-Q8NVsjihh.exe

http://www.cheatengine.org/.../CheatEngine63_downloader-Q5nYtNVFe.exe

Remove cheatengine63_downloader-q5nytnvfe.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.